Merge pull request 'Set up openresty' (#502) from feature/501-openresty into master

Reviewed-on: #502

site-cookbooks/kosmos-base/recipes/letsencrypt.rb

@@ -52,16 +52,17 @@ end
   end
 end
 
-# TODO check if nginx is installed/running on the node
-file "/etc/letsencrypt/renewal-hooks/deploy/nginx" do
-  content <<-EOF
-#!/usr/bin/env bash
-# Reloading nginx is enough to read the new certificates
-systemctl reload nginx
-  EOF
-  mode 0755
-  owner "root"
-  group "root"
+if node.run_list.roles.include?("openresty_proxy")
+  file "/etc/letsencrypt/renewal-hooks/post/openresty" do
+    content <<-EOF
+  #!/usr/bin/env bash
+  # Reloading openresty is enough to read the new certificates
+  systemctl reload openresty
+    EOF
+    mode 0755
+    owner "root"
+    group "root"
+  end
 end
 
 # include_recipe 'kosmos-base::systemd_emails'

site-cookbooks/kosmos-base/resources/tls_cert_for.rb

@@ -0,0 +1,50 @@
+resource_name :tls_cert_for
+provides :tls_cert_for
+
+property :domain, [String, Array], name_property: true
+property :auth, [String, NilClass], default: nil
+
+default_action :create
+
+def initialize(*args)
+  super
+
+  @run_context.include_recipe 'kosmos-base::letsencrypt'
+end
+
+action :create do
+  domains = Array(new_resource.domain)
+
+  case new_resource.auth
+  when "gandi_dns"
+    gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
+
+    hook_path = "/root/gandi_dns_certbot_hook.sh"
+    template hook_path do
+      cookbook "kosmos-base"
+      variables gandi_api_key: gandi_api_data_bag_item["key"]
+      mode 0770
+    end
+
+    # Generate a Let's Encrypt cert (only if no cert has been generated before).
+    # The systemd timer will take care of renewing
+    execute "letsencrypt cert for #{domains.join(', ')}" do
+      command <<-CMD
+      certbot certonly --manual -n \
+        --preferred-challenges dns \
+        --manual-public-ip-logging-ok \
+        --agree-tos \
+        --manual-auth-hook '#{hook_path} auth' \
+        --manual-cleanup-hook '#{hook_path} cleanup' \
+        --deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty \
+        --email ops@kosmos.org \
+        #{domains.map {|d| "-d #{d}" }.join(" ")}
+      CMD
+      not_if do
+        ::File.exist?("/etc/letsencrypt/live/#{domains.first}/fullchain.pem")
+      end
+    end
+  else
+    # regular http auth
+  end
+end

site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+#
+
+set -euf -o pipefail
+
+# ************** USAGE **************
+#
+# Example usage (with this hook file saved in /root/):
+#
+#   sudo su -
+#   certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
+#     --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
+#
+# This hook requires configuration, continue reading.
+#
+# ************** CONFIGURATION **************
+#
+# GANDI_API_KEY: Your Gandi Live API key
+#
+# PROVIDER_UPDATE_DELAY:
+#   How many seconds to wait after updating your DNS records. This may be required,
+#   depending on how slow your DNS host is to begin serving new DNS records after updating
+#   them via the API. 30 seconds is a safe default, but some providers can be very slow
+#   (e.g. Linode).
+#
+#   Defaults to 30 seconds.
+#
+GANDI_API_KEY="<%= @gandi_api_key %>"
+PROVIDER_UPDATE_DELAY=2
+
+regex='.*\.(.*\..*)'
+if [[ $CERTBOT_DOMAIN =~ $regex ]]
+then
+  DOMAIN="${BASH_REMATCH[1]}"
+else
+  DOMAIN="${CERTBOT_DOMAIN}"
+fi
+
+# To be invoked via Certbot's --manual-auth-hook
+function auth {
+    curl -s -D- -H "Content-Type: application/json" \
+        -H "X-Api-Key: ${GANDI_API_KEY}" \
+        -d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
+             \"rrset_type\": \"TXT\",
+             \"rrset_ttl\": 3600,
+             \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
+        "https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
+
+
+    sleep ${PROVIDER_UPDATE_DELAY}
+}
+
+# To be invoked via Certbot's --manual-cleanup-hook
+function cleanup {
+    curl -s -X DELETE -H "Content-Type: application/json" \
+        -H "X-Api-Key: ${GANDI_API_KEY}" \
+        https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
+}
+
+HANDLER=$1; shift;
+if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then
+  $HANDLER "$@"
+fi

site-cookbooks/kosmos_assets/metadata.rb

@@ -7,4 +7,5 @@ long_description 'Configures static asset Web hosting'
 version '1.0.0'
 chef_version '>= 15.10' if respond_to?(:chef_version)
 
-depends "kosmos-nginx"
+depends "kosmos-base"
+depends "kosmos_openresty"

site-cookbooks/kosmos_assets/recipes/nginx_site.rb

@@ -1,38 +1,36 @@
 #
 # Cookbook:: kosmos_assets
-# Recipe:: nginx_site
+# Recipe:: openresty_site
 #
 
-include_recipe "kosmos-nginx"
+include_recipe "git"
+include_recipe "kosmos_openresty"
 
 domain = node["kosmos_assets"]["domain"]
 
-nginx_certbot_site domain
+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
 
 directory "/var/www/#{domain}/site" do
-  user node["nginx"]["user"]
-  group node["nginx"]["group"]
+  user node["openresty"]["user"]
+  group node["openresty"]["group"]
   mode "0755"
+  recursive true
 end
 
 git "/var/www/#{domain}/site" do
-  user node["nginx"]["user"]
-  group node["nginx"]["group"]
+  user node["openresty"]["user"]
+  group node["openresty"]["group"]
   repository node["kosmos_assets"]["repo"]
   revision node["kosmos_assets"]["revision"]
   action :sync
 end
 
-template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
-  source "nginx_conf_assets.erb"
-  owner node["nginx"]["user"]
-  mode 0640
+openresty_site domain do
+  template "nginx_conf_assets.erb"
   variables domain: domain,
-            ssl_cert:    "/etc/letsencrypt/live/#{domain}/fullchain.pem",
-            ssl_key:     "/etc/letsencrypt/live/#{domain}/privkey.pem"
-  notifies :reload, "service[nginx]", :delayed
-end
-
-nginx_site domain do
-  action :enable
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:  "/etc/letsencrypt/live/#{domain}/privkey.pem"
 end

site-cookbooks/kosmos_assets/templates/nginx_conf_assets.erb

@@ -2,13 +2,14 @@
 # Generated by Chef
 
 server {
-  listen 443 ssl http2;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
   listen [::]:443 ssl http2;
   server_name <%= @domain %>;
 
   root /var/www/<%= @domain %>/site;
 
-  access_log off;
+  access_log <%= node['openresty']['log_dir'] %>/<%= @domain %>.access.log;
+  error_log <%= node['openresty']['log_dir'] %>/<%= @domain %>.error.log;
   gzip_static on;
   gzip_comp_level 5;
 

site-cookbooks/kosmos_openresty/.gitignore

@@ -0,0 +1,25 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef Infra
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json
+
+.idea/
+

site-cookbooks/kosmos_openresty/CHANGELOG.md

@@ -0,0 +1,5 @@
+# kosmos_openresty CHANGELOG
+
+## 0.1.0
+
+Initial release.

site-cookbooks/kosmos_openresty/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 Kosmos
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

site-cookbooks/kosmos_openresty/README.md

@@ -0,0 +1,4 @@
+# kosmos_openresty
+
+Wrapper cookbook for our fork of the openresty cookbook. It adds support for
+installing from the package using the official apt repository.

site-cookbooks/kosmos_openresty/chefignore

@@ -0,0 +1,115 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+.envrc
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+REVISION
+TAGS*
+tmtags
+.vscode
+.editorconfig
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+mkmf.log
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.delivery/*
+.foodcritic
+.kitchen*
+.mdlrc
+.overcommit.yml
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+.yamllint
+azure-pipelines.yml
+Dangerfile
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+mlc_config.json
+Procfile
+Rakefile
+spec/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitkeep
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Documentation #
+#############
+CODE_OF_CONDUCT*
+CONTRIBUTING*
+documentation/*
+TESTING*
+UPGRADING*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/kosmos_openresty/metadata.rb

@@ -0,0 +1,10 @@
+name 'kosmos_openresty'
+maintainer 'Kosmos'
+maintainer_email 'mail@kosmos.org'
+license 'MIT'
+description 'Installs/Configures openresty'
+version '0.1.0'
+chef_version '>= 18.0'
+
+depends 'kosmos-base'
+depends 'openresty'

site-cookbooks/kosmos_openresty/recipes/default.rb

@@ -0,0 +1,7 @@
+#
+# Cookbook:: kosmos_openresty
+# Recipe:: default
+#
+
+# Install openresty from official packages
+include_recipe 'openresty::apt_package'

site-cookbooks/kosmos_openresty/recipes/firewall.rb

@@ -0,0 +1,11 @@
+#
+# Cookbook Name:: kosmos_openresty
+# Recipe:: firewall
+
+include_recipe "kosmos-base::firewall"
+
+firewall_rule "http/https" do
+  port     [80, 443]
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos_openresty/recipes/hello_world.rb

@@ -0,0 +1,10 @@
+#
+# Cookbook:: kosmos_openresty
+# Recipe:: hello_world
+#
+
+openresty_site 'hello_world' do
+  template 'hello_world.conf.erb'
+  redirect_http false
+  action :enable
+end

site-cookbooks/kosmos_openresty/templates/hello_world.conf.erb

@@ -0,0 +1,9 @@
+server {
+        listen 80 reuseport;
+        location / {
+                default_type text/plain;
+                content_by_lua_block {
+                        ngx.say("Hello World")
+                }
+        }
+}